RFR: 8321974: Crash in ciKlass::is_subtype_of because TypeAryPtr::_klass is not initialized
Tobias Hartmann
thartmann at openjdk.org
Wed Dec 13 12:09:39 UTC 2023
On Wed, 13 Dec 2023 11:57:42 GMT, Tobias Hartmann <thartmann at openjdk.org> wrote:
> [JDK-8297933](https://bugs.openjdk.org/browse/JDK-8320292) added code that relies on lazy initialization of the `TypeAryPtr::_klass` field. However, there are cases when the field is not yet initialized, leading to a null pointer dereference at C2 compilation time.
>
> In the failing case we process a CmpP:
>
> 116 Phi === 109 160 57 [[ 120 128 128 ]] #long[int:1..2] (java/lang/Cloneable,java/io/Serializable):NotNull:exact * !jvms: TestSimple::test @ bci:11 (line 32)
> 10 Parm === 3 [[ 173 143 128 40 120 128 94 72 83 ]] Parm0: long[int:>=0] (java/lang/Cloneable,java/io/Serializable):exact * !jvms: TestSimple::test @ bci:-1 (line 29)
> 120 CmpP === _ 10 116 [[ 121 ]] !jvms: TestSimple::test @ bci:13 (line 32)
>
> `CmpPNode::sub` performs a subtype check to check if the klasses of its two operands are unrelated. We crash in `ciKlass::is_subtype_of` because the `TypeAryPtr::_klass` field is not initialized ( `= nullptr`) for the `116 Phi` operand.
>
> The issue only reproduces with release builds because [additional verification code](https://github.com/openjdk/jdk/blob/21cda19d05b688148f023f6d92778b5da210b709/src/hotspot/share/opto/type.cpp#L996-L1007) in `Type::meet_helper` in debug builds calls `klass()` which leads to eager initialization of the `_klass` field. When disabling the verification code, the issue also reproduces with debug builds and we hit the `this_one->_klass != nullptr && other->_klass != nullptr` assert in `TypePtr::is_same_java_type_as_helper_for_array`.
>
> The fix is to always use the `klass()` method for accesses which makes sure that the field is properly initialized since the overhead is negligible. The patch also includes some unrelated removal of dead code in `TypeAryPtr::compute_klass` (after [JDK-8297933](https://bugs.openjdk.org/browse/JDK-8320292), the verify argument is always false).
>
> Thanks,
> Tobias
Thanks for the quick review, Roland!
-------------
PR Comment: https://git.openjdk.org/jdk/pull/17085#issuecomment-1853797822
More information about the hotspot-compiler-dev
mailing list